Forum Discussion

AOSPWB's avatar
AOSPWB
Brass Contributor
Nov 23, 2021
Solved

Restrict Owners

Not even sure if this is possible, but is there a way to remove site owners permissions from a certain library or even just a folder under a library?  We are moving multiple files and departments to ...
admin
Document Library
files
Permissions
security
SharePoint Online
Sites
  • Pol_Van_Dingenen's avatar
    Pol_Van_Dingenen
    Nov 24, 2021

    AOSPWB

    There will always need to someone who has enough permissions to help fix things if things go south. The best practice is the use of named admin accounts, this way you can give de admin permissions to the named admin account and not your personal account.

    On your personal account you will just see the data that you are allowed to see but on the named admin account you could see everything and help where needed.

    The reason you still see the library after removing the owner permissions is because you are set as the site collection administrator which is a higher permission then the owner group.

Pol_Van_Dingenen's avatar
Pol_Van_Dingenen
Brass Contributor
Nov 24, 2021

AOSPWB

There will always need to someone who has enough permissions to help fix things if things go south. The best practice is the use of named admin accounts, this way you can give de admin permissions to the named admin account and not your personal account.

On your personal account you will just see the data that you are allowed to see but on the named admin account you could see everything and help where needed.

The reason you still see the library after removing the owner permissions is because you are set as the site collection administrator which is a higher permission then the owner group.

AOSPWB's avatar
AOSPWB
Brass Contributor
Nov 24, 2021
Yeah... the problem is our IT admin not local within the company most of the SharePoint talent is not IT (aka the admin). Therefore thinking passwords on specific files may be the best and that is if they feel it is absolutely necessary and to think of it.... most of them may already have passwords as IT has access to the servers now, so what is stopping them from going in? Trust and Professionalism! Greatly appreciate the bounce of ideas tho! Really did make me stop and think!
  • Ben Leach's avatar
    Ben Leach
    Copper Contributor
    Nov 24, 2021
    As mentioned earlier in this thread, you really don't want to lock away areas of a site from owners as it is a supportability issue, and again as has been said, there is always a role that will have access to everything in the site (known as the Site Collection Administrator).

    If you have Business Premium or E3 licences, the best approach is to configure Sensitivity Labels within the Compliance Centre of Microsoft 365 Admin. You can define the label, configure it as requiring encryption and control who can access the content, assigning it to specific departments via security or M365 groups. Once you have created the label, deploy it to the users that you want to be able to use it via a Label Policy. The advantage of this approach is that even if the content is downloaded and shared either internally or outside the organisation, the protection will still be applied and doesn't rely on having to set (and remember) passwords

Resources